Credit Card Processing for Small Business


Published on

Credit Card Processing and Information Security: What You Need to Know

Do you take payments by credit card, or do any of your clients? SofTECH member and information security consultant Hugh Deura discusses the security regulations (called PCI) surrounding credit card processing. He’ll explain the objectives of the existing regulations, and the practical steps businesses must take in order to comply.

His discussion covers the 12 Myths of PCI compliance, along with the 12 Facts that set those myths straight.

Hugh Deura has over 10 years of experience in information security and compliance. Hugh's blogs at DeuraInfoSec and helps clients comply with industry standards and regulations to succeed in information security with due diligence.
Deura Information Security (DISC) was established in North Bay (Petaluma) California in 2002 and provides services in security risk assessment, designing new controls, and remediation processes to help businesses comply with industry regulations and standards.

Published in: Technology, Economy & Finance
1 Comment
  • Hello my dear
    I am Modester by name good day. i just went to your profile this time true this site ( and i got your detail and your explanation in fact the way you explain your self shows me that you are innocent and maturity and also understand person i decided to have a contact with you so that we can explain to our self each other because God great everyone to make a friend with each other and from that we know that we are from thism planet God great for us ok my dear please try and reach me through my email address ( so that i can send you my picture true your reply we can know each other ok have a nice day and God bless you yours Modester
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Credit Card Processing for Small Business

  1. 1. Information Security & Compliance How PCI DSS compliance is relevant to small business Presented by Hugh Deura SofTech Meeting May 2009 San Rafael, CA Mark Ginnebaugh, SofTech President Deura Information Security Consulting
  2. 2. Agenda • When does PCI DSS apply? • PCI DSS misconceptions • Approach to PCI • Q&A
  3. 3. When PCI Applies… PCS (DSS)Payment Card Industry Data Security Standard “PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.”
  4. 4. PCI Six main objectives • Buildand Maintain a Secure Network • Protect Cardholder Data • Maintain a Vulnerability Management Program • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy
  5. 5. PCI 12 requirements 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks 5: Use and regularly update anti-virus software 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security
  6. 6. It does not apply to us M1 - It does not apply to us, we are relatively small company F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data
  7. 7. PCI is a regulation or a standard M2 – PCI DSS is either a regulation or a standard F2 – It‘s neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants
  8. 8. We don’t have expertise to address PCI compliance M3 – We neither understand PCI and nor have in house expertise to address compliance F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data
  9. 9. PCI has no ROI M4 – PCI has no ROI and simply too much for a small business F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership
  10. 10. Why bother M5 – Why bother when some companies get breached even though they were compliant F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it
  11. 11. Just fill out the questionnaire M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires F6 - Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank
  12. 12. My application & equipment are compliant M7 – My application and equipment are PCI compliant F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment
  13. 13. PCI addresses the security of the whole organization M8 – PCI compliance addresses the security of the whole organization F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security
  14. 14. Security breach will not affect our business M9 – Data breach will not affect the business revenue F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines
  15. 15. We don’t need PCI scanning M10 – We don’t need to scan PCI assets F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)
  16. 16. Merchant can use any application M11 – Merchants can use any application to transmit, process and store PCI data F11 – In fact, at beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA- DSS)
  17. 17. We have compensating controls in place M12 – We have compensating control in place so we are covered F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run
  18. 18. Your Approach To PCI DSS 1. Understand your merchant level (1-4) 2. Review the applicable requirements 3. Identify the gap between your current and required state 4. Implement changes to technology and policies! 5. Validate requirements and attest to it 6. Key: continue to maintain secure-thus-compliant state!
  19. 19. Q&A DISC (707) 332-7457